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Chairman Ratcliffe, Chainnan Katko, Ranking Member Richmond, Ranking Member Coleman, 
and members of the Subcommittees, thank you for the opportunity to participate in this hearing 
on the critically important topic of understanding and mitigating cybersecurity threats to our 
nation’s airlines, airports and national aviation system. 

According to the Federal Aviation Administration (FAA), more than 2.5 million passengers fly 
in and out of America’s airports each and every day. The most recent available statistics show 
US airports facilitated the shipment of more than 40 billion pounds of cargo. In total, our 
nation’s airports along with our airline partners and all other aspects of the aviation industry 
contribute more than 5.1% to our national GDP. By any standard, airports, particularly our 
commercial airports are incredibly complex, connected critical infrastructure ecosystems that are 
essential not only to our nation’s economic prosperity, but to our national security as well. 

The size and scope of operations, as well as the passenger volume in our nation’s airports is vast. 
The FAA classifies the nation’s 30 largest airports by passenger volume, as large hub airports. 
Tampa International is in that category. Out of those 30 airports designated as large hubs, the 
top four or five have more passengers flowing through them on an annual basis than the entire 
population of the United States. 

As with most industries, to meet the increasing demand and needs of international commerce and 
the traveling public, airports along with our airline partners, have increasingly relied on 
technology out of operational necessity and to enhance passenger safety, security and 
convenience. The ubiquitous use of technology has made airports, airlines and global aviation 
more efficient and has undergirded and facilitated the tremendous growth of global mobility, 
commerce and connectivity. However, as a result of our increasingly interconnected and 
technologically dependent world, airports and airlines, like other industries face significant 
challenges from a looming cyber threat environment. 

In today’s modern and technologically advanced airports, there are virtually no areas or functions 
that do not rely at some level on a digital network, data transfer, computer application or 
interface with the internet. Virtually all functions that are essential to airport operations, as well 
as aviation safety and security, such as access controls, navigation, airfield lighting, 
communications, industrial system controls, and emergency response systems rely heavily on a 
multitude of technology applications and platfonns. Moreover, airport information systems 
contain or process tremendous amounts of sensitive data such as passenger manifests, security 
plans, and data containing financial and personally identifiable information (PII). 

The operational importance of these systems coupled with the fact that they are often 
interconnected through networks and remote access points makes airports, immensely appealing 
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targets and potentially vulnerable to malicious cyber threats, such as criminal organizations and 
state sponsored actors. 

Given the rapidly growing reliance on technology as well as the implementation of future 
technologies such as Next Generation Air Transportation System (NextGen) and remote air 
traffic control towers, it is my opinion that cybersecurity risks without question represent the 
preeminent and persistent threat to the continuous, safe, secure and efficient operations of US 
airports and the global aviation system. 

One of the clearest examples of this threat to aviation safety and security was confirmed by the 
FBI and the Department of Homeland Security (DHS), Computer Emergency Readiness Team 
(CERT) earlier this year when they officially acknowledged that hackers attempted to penetrate 
the US civilian aviation, energy, and other critical infrastructure sector networks. CERT released 
a report on March 15 detailing what were believed to be state sponsored cyber efforts that 
targeted "US Government entities as well as organizations in the energy, nuclear, commercial 
facilities, water, aviation, and critical manufacturing sectors." The attempted attack was 
detennined by intelligence assessments to be a sophisticated and coordinated assault that could 
have resulted, if successful, in significant potential disruptions to our critical infrastructure. 

Imagine if you will, the potential dire consequences of a successful coordinated cyber-attack on 
any one or more of our large hub airports. The potential resulting disruption, chaos, and 
economic harm could be enormous. Consider the consequences of a single non cyber-related 
disruption that occurred at Atlanta International Airport in December 2017. In that instance, a 
power failure at Hartsfield-Jackson disrupted operations at the world’s busiest airport, which 
resulted in the cancellation of more than 1,150 flights and stranded thousands of passengers in 
tenninals and on planes for hours. The power failure at the airport, which moves more than 100 
million passengers a year and serves as a major hub for domestic and international flights, led to 
additional disruptions across the country and affected flights in Chicago, Los Angeles and 
abroad. 

The full economic impact resulting from this incident is still being fully assessed but 
conservatively the estimated losses in productivity as well as direct costs could be well in excess 
of $40 million. The power disruption in that instance was detennined to have been caused by fire 
in a critical airport electrical node. However, had the incident been the result of a cyber-attack, 
the consequences of disruption, psychological impact and costs could have been far greater. 

In short, computers, keyboards and kiosks have become the newest tools of criminals and the 
new weapons of war, and it is of paramount importance that we exercise increased urgency and 
vigilance to anticipate, identify and mitigate cyber threats to our nation’s airlines, airports and 
aviation system critical infrastructure. Given the nature of these existing and growing threats, 
proactively implementing standards, protocols and counter measures to protect ourselves against 
potential catastrophic system disruption must be one of our highest priorities. 

While there is no perfect defense against cybersecurity threats within the aviation industry or any 
industry for that matter, there are critical activities that we must undertake to mitigate as many 
risks as possible. For the purposes of this hearing, I have distilled my remarks down to three 
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critical areas that I believe present the best opportunity for airports along with our airline 
partners and aviation sector stakeholders to achieve greater preparedness, responsiveness and 
resilience. 


Mandatory Minimum Standards 

Under the Federal Information Security Management Act (FISMA), which defines a 
comprehensive framework to protect government information, operations and assets against 
natural or man-made threats, Federal agencies are required to adopt and implement a baseline 
national standard for cybersecurity preparedness. In 2013, President Obama issued Executive 
Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, which called for the 
development of a voluntary risk-based cybersecurity framework that is "prioritized, flexible, 
repeatable, performance-based, and cost-effective." Subsequent executive orders and 
Presidential Directives have also been issued to address and respond to the ever-changing 
cybersecurity threat landscape and strengthen the requirements by Federal agencies for ensuring 
and maintaining a baseline level of preparedness. 

Although, airports, airlines and other aviation stakeholders have engaged in building and 
achieving various levels of cybersecurity capability, maturity and resilience, there are currently 
no significant requirements for adherence to minimum standards for preparedness. According to 
a survey of airports in the United States, by the Airport Cooperative Research Program (ACRP) 
as publish in 2015 in its Guidebook on Best Practices for Airport Cybersecurity, only nine out of 
twenty-four (34%) of airport respondents indicated that they had implemented a national 
cybersecurity standard or framework. 

I believe that we are at a point in the growing threat environment where voluntary compliance is 
no longer adequate. I believe that strong consideration should be given by Congress and by 
regulatory agencies such as the FAA and Transportation Security Administration (TSA) which 
have primary responsibility for oversight and regulation of aviation operational safety and 
security respectively, to mandate the adoption and implementation of unifonn minimum cyber 
security standards and frameworks. The National Institute of Standards and Technology (NIST) 
Framework for Improving Critical Infrastructure for Cybersecurity provides robust and 
comprehensive guidance for establishing minimum standards for the aviation sector. 

Such a baseline cybersecurity framework would not replace an existing cybersecurity program 
that an organization already has in place. The framework would be used to augment, enhance 
and strengthen any existing program and align it with best practices for greater coordination and 
effectiveness throughout the aviation industry. For airports, airlines and key stakeholders that do 
not have a baseline cybersecurity program, such a requirement would ensure a minimum level of 
readiness and facilitate the development of greater preparedness and program maturity. 
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Cyber Security Information Sharing & Communication 

While one of the stated objectives of EO 13636 focused on increasing information sharing 
between government and the private sector, it has not been as effective as it could be due to the 
voluntary nature of the program. The sharing of infonnation and threat intelligence is a critical 
component to assessing airport and aviation sector vulnerabilities, enhancing our preparedness, 
as well as giving airports and our airline partners the ability to more effectively respond and 
recover in the event of a cybersecurity incident. 

Often information sharing practices within the aviation sector have been reactive versus 
proactive. A voluntary information sharing program may have arguable utility when reacting to 
and recovering from a cyber-incident, but often possesses minimized utility effectiveness in 
preventing an incident when not shared in a timely manner. 

To strengthen infonnation sharing, consideration should be given to requiring mandatory 
disclosure of cyber incidents that meet an agreed-upon threshold irrespective of whether or not 
the incident resulted in a data breach or system compromise. Information sharing standards 
should ideally address whom the information should be shared with and its confidentiality within 
the industry in line the protections currently afforded to airport System Security Information 
(SSI). 

Recent laws such as the Cybersecurity Information Sharing Act (CISA) and the corresponding 
programs such as the DHS Cyber Information Sharing and Collaboration Program (CISCP), if 
coupled with the implementation of mandatory minimum standards within the aviation sector, 
may help to accelerate the progress of information sharing and collaboration. However, 
mandating a minimum common standard and enhancing opportunities to share critical 
cybersecurity threat intelligence in a timely manner, will ultimately result in greater industry 
wide capability to combat cyber security risks. 

Information Security Awareness and Workforce Training 

Notwithstanding the most effective program standards, technological cybersecurity defenses and 
threat intelligence information sharing efforts, the human factor remains the most highly 
exploited vector for penetrating cybersecurity defenses within the aviation sector. 

Cybersecurity threat awareness and infonnation security training programs for all airport, airlines 
and aviation industry employees is perhaps one of the most effective and cost-efficient ways of 
increasing airports and airlines cybersecurity readiness. The NIST “Framework for Improving 
Critical Infrastructure Cybersecurity” (NIST 2014) specifically indicates that cybersecurity 
awareness and training is a critical and indispensable component to an entity’s overall 
cybersecurity program. 

Numerous resources are available for cybersecurity training at the federal, department, and state- 
level. According to the survey of airports in the United States, by the Airport Cooperative 
Research Program (ACRP) as published in 2015, 20 of 27 (74%) of the responding airports 
indicated that they engage in some form of employee infonnation security awareness training. 
However, due to the multitude of differences within airport governance and organizational 
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structures, the scope, depth and quality of training may vary significantly from airport to airport. 
Numerous additional factors may also adversely impact the quality and scope of training such as 
availability of budgets, subject matter expertise and adequate buy-in from senior management. 
Adopting and requiring a unifonn standard which establishes a minimum training requirement 
for airport, airlines and other aviation sector employees on a defined and reoccurring basis 
should be given strong consideration by Congress and appropriate aviation sector regulatory 
agencies such as the FAA and TSA. 

Conclusion 

Our nation’s airports, airlines and other critical aviation infrastructure are heavily reliant on 
information technology and complex data networks to support the growing demands of our 
economic and strategic interests. As the adoption of current and future technologies increases to 
support the aviation sector both here and abroad, the threat of disruptive cyber-attacks on 
airports, airlines and critical aviation infonnation systems and data will undoubtedly increase as 
well. Evolution towards a more effective, non-voluntary cyber risk mitigation strategy against 
this pernicious and imminent threat must be undertaken proactively and with a renewed sense of 
urgency. The need for increased assistance and improved regulatory oversight, as well as the 
urgent adoption and implementation of a baseline cybersecurity protection framework and 
standard for infonnation sharing and workforce training, is absolutely essential to the nation’s 
security and long-term economic prosperity. 

Thank you again for the opportunity to testify before you today. I look forward to answering any 
questions you may have. 
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